Add keyboy related rules

d1dad74b · Tek · 49d3e963 · d1dad74b · d1dad74b · d1dad74b
Commit d1dad74b authored Jan 11, 2017 by Tek
Hide whitespace changes
Inline Side-by-side

Showing with 305 additions and 20 deletions

CVE-2012-0158.yar CVE_Rules/CVE-2012-0158.yar +23 -0

CVE_Rules_index.yar CVE_Rules_index.yar +1 -0

APT_KeyBoy.yar malware/APT_KeyBoy.yar +281 -20

No files found.
--- a/CVE_Rules/CVE-2012-0158.yar
+++ b/CVE_Rules/CVE-2012-0158.yar
+/*
+*
+* Signature for the CVE-2012-0158 used in KeyBoy operation
+* Ref https://citizenlab.org/2016/11/parliament-keyboy/
+*
+*/
+rule CVE_2012_0158_KeyBoy {
+  meta:
+      author = "Etienne Maynier <etienne@citizenlab.ca>"
+      description = "CVE-2012-0158 variant"
+      file = "8307e444cad98b1b59568ad2eba5f201"
+
+  strings:
+      $a = "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001" nocase // OLE header
+      $b = "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" nocase // junk data
+      $c = /5(\{\\b0\}|)[ ]*2006F00(\{\\b0\}|)[ ]*6F007(\{\\b0\}|)[ ]*400200045(\{\\b0\}|)[ ]*006(\{\\b0\}|)[ ]*E007(\{\\b0\}|)[ ]*400720079/ nocase
+      $d = "MSComctlLib.ListViewCtrl.2"
+      $e = "ac38c874503c307405347aaaebf2ac2c31ebf6e8e3" nocase //decoding shellcode
+
+
+  condition:
+      all of them
+}
--- a/CVE_Rules_index.yar
+++ b/CVE_Rules_index.yar
@@ -12,3 +12,4 @@ include "./CVE_Rules/CVE-2015-2545.yar"
 include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2015-2426.yar"
 include "./CVE_Rules/CVE-2013-0422.yar"
+include "./CVE_Rules/CVE-2012-0158.yar"
--- a/malware/APT_KeyBoy.yar
+++ b/malware/APT_KeyBoy.yar
@@ -6,7 +6,7 @@
 import "pe"

 rule KeyBoy_Dropper  : dropper
-{  
+{
    meta:
        Author      = "Rapid7 Labs"
        Date        = "2013/06/07"
@@ -14,15 +14,15 @@ rule KeyBoy_Dropper  : dropper
        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"

    strings:
-        $1 = "I am Admin"  
-        $2 = "I am User"  
-        $3 = "Run install success!"  
-        $4 = "Service install success!"  
-        $5 = "Something Error!"  
-        $6 = "Not Configed, Exiting"  
+        $1 = "I am Admin"
+        $2 = "I am User"
+        $3 = "Run install success!"
+        $4 = "Service install success!"
+        $5 = "Something Error!"
+        $6 = "Not Configed, Exiting"

-    condition:  
-        all of them  
+    condition:
+        all of them
 }

 rule KeyBoy_Backdoor  : Backdoor APT
@@ -33,14 +33,275 @@ rule KeyBoy_Backdoor  : Backdoor APT
        Description = "Strings inside"
        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"

-    strings:  
-        $1 = "$login$"  
-        $2 = "$sysinfo$"  
-        $3 = "$shell$"  
-        $4 = "$fileManager$"  
-        $5 = "$fileDownload$"  
-        $6 = "$fileUpload$"  
-
-    condition:  
-        all of them  
-} 
+    strings:
+        $1 = "$login$"
+        $2 = "$sysinfo$"
+        $3 = "$shell$"
+        $4 = "$fileManager$"
+        $5 = "$fileDownload$"
+        $6 = "$fileUpload$"
+
+    condition:
+        all of them
+}
+
+/*
+*
+* This section of the rules are all specific to the new 2016
+* KeyBoy sample targeting the Tibetan community. Other following
+* sections capture file characteristics observed across multiple
+* years of development.
+*
+*/
+rule new_keyboy_export
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the new 2016 sample's export"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        //The malware family seems to share many exports
+        //but this is the new kid on the block.
+        pe.exports("cfsUpdate")
+}
+
+
+rule new_keyboy_header_codes
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the 2016 sample's header codes"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    strings:
+        $s1 = "*l*" wide fullword
+        $s2 = "*a*" wide fullword
+        $s3 = "*s*" wide fullword
+        $s4 = "*d*" wide fullword
+        $s5 = "*f*" wide fullword
+        $s6 = "*g*" wide fullword
+        $s7 = "*h*" wide fullword
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        all of them
+}
+
+
+/*
+*
+* This section of the rules are all broader and will hit on
+* older KeyBoy samples and other samples possibly part of a
+* a larger development effort.
+*
+*/
+
+rule keyboy_commands
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the 2016 sample's sent and received commands"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    strings:
+        $s1 = "Update" wide fullword
+        $s2 = "UpdateAndRun" wide fullword
+        $s3 = "Refresh" wide fullword
+        $s4 = "OnLine" wide fullword
+        $s5 = "Disconnect" wide fullword
+        $s6 = "Pw_Error" wide fullword
+        $s7 = "Pw_OK" wide fullword
+        $s8 = "Sysinfo" wide fullword
+        $s9 = "Download" wide fullword
+        $s10 = "UploadFileOk" wide fullword
+        $s11 = "RemoteRun" wide fullword
+        $s12 = "FileManager" wide fullword
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        6 of them
+}
+
+rule keyboy_errors
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the sample's shell error2 log statements"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    strings:
+        //These strings are in ASCII pre-2015 and UNICODE in 2016
+        $error = "Error2" ascii wide
+        //2016 specific:
+        $s1 = "Can't find [%s]!Check the file name and try again!" ascii wide
+        $s2 = "Open [%s] error! %d" ascii wide
+        $s3 = "The Size of [%s] is zero!" ascii wide
+        $s4 = "CreateThread DownloadFile[%s] Error!" ascii wide
+        $s5 = "UploadFile [%s] Error:Connect Server Failed!" ascii wide
+        $s6 = "Receive [%s] Error(Recved[%d] != Send[%d])!" ascii wide
+        $s7 = "Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s" ascii wide
+        $s8 = "CreateThread UploadFile[%s] Error!" ascii wide
+        //Pre-2016:
+        $s9 = "Ready Download [%s] ok!" ascii wide
+        $s10 = "Get ControlInfo from FileClient error!" ascii wide
+        $s11 = "FileClient has a error!" ascii wide
+        $s12 = "VirtualAlloc SendBuff Error(%d)" ascii wide
+        $s13 = "ReadFile [%s] Error(%d)..." ascii wide
+        $s14 = "ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error..." ascii wide
+        $s15 = "CreateThread DownloadFile[%s] Error!" ascii wide
+        $s16 = "RecvData MyRecv_Info Size Error!" ascii wide
+        $s17 = "RecvData MyRecv_Info Tag Error!" ascii wide
+        $s18 = "SendData szControlInfo_1 Error!" ascii wide
+        $s19 = "SendData szControlInfo_3 Error!" ascii wide
+        $s20 = "VirtualAlloc RecvBuff Error(%d)" ascii wide
+        $s21 = "RecvData Error!" ascii wide
+        $s22 = "WriteFile [%s} Error(%d)..." ascii wide
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        $error and 3 of ($s*)
+}
+
+
+rule keyboy_systeminfo
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the system information format before sending to C2"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    strings:
+        //These strings are ASCII pre-2015 and UNICODE in 2016
+        $s1 = "SystemVersion:    %s" ascii wide
+        $s2 = "Product  ID:      %s" ascii wide
+        $s3 = "InstallPath:      %s" ascii wide
+        $s4 = "InstallTime:      %d-%d-%d, %02d:%02d:%02d" ascii wide
+        $s5 = "ResgisterGroup:   %s" ascii wide
+        $s6 = "RegisterUser:     %s" ascii wide
+        $s7 = "ComputerName:     %s" ascii wide
+        $s8 = "WindowsDirectory: %s" ascii wide
+        $s9 = "System Directory: %s" ascii wide
+        $s10 = "Number of Processors:       %d" ascii wide
+        $s11 = "CPU[%d]:  %s: %sMHz" ascii wide
+        $s12 = "RAM:         %dMB Total, %dMB Free." ascii wide
+        $s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide
+        $s14 = "Uptime:      %d Days %02u:%02u:%02u" ascii wide
+
+
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        7 of them
+}
+
+
+rule keyboy_related_exports
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the new 2016 sample's export"
+        date = "2016-08-28"
+        md5 = "495adb1b9777002ecfe22aaf52fcee93"
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        filesize < 200KB and
+
+
+        //The malware family seems to share many exports
+        //but this is the new kid on the block.
+        pe.exports("Embedding") or
+        pe.exports("SSSS") or
+        pe.exports("GetUP")
+}
+
+// Note: The use of the .Init section has been observed in nearly
+// all samples with the exception of the 2013 VN dropper from the
+// Rapid7 blog. The config data was stored in that sample's .data
+// section.
+rule keyboy_init_config_section
+{
+    meta:
+        author = "Matt Brooks, @cmatthewbrooks"
+        desc = "Matches the Init section where the config is stored"
+        date = "2016-08-28"
+
+    condition:
+        //MZ header
+        uint16(0) == 0x5A4D and
+
+        //PE signature
+        uint32(uint32(0x3C)) == 0x00004550 and
+
+
+        //Payloads are normally smaller but the new dropper we spotted
+        //is a bit larger.
+        filesize < 300KB and
+
+
+        //Observed virtual sizes of the .Init section vary but they've
+        //always been 1024, 2048, or 4096 bytes.
+        for any i in (0..pe.number_of_sections - 1):
+            (
+                pe.sections[i].name == ".Init" and
+                pe.sections[i].virtual_size % 1024 == 0
+            )
+}